Techniques
Sample rules
AWS SSM Session Manager Child Process Execution
- source: elastic
- technicques:
- T1059
- T1651
Description
Identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker. Session Manager provides interactive shell access to EC2 instances and hybrid nodes without bastion hosts or open inbound ports. Adversaries abuse it for remote execution and lateral movement using legitimate AWS credentials and IAM permissions. This rule surfaces endpoint execution occurring under that worker for visibility and hunting. Expect noise from authorized administrative sessions.
Detection logic
event.category: "process" and event.action : ("exec" or "exec_event" or "start" or "ProcessRollup2" or "executed" or "process_started") and
(
process.parent.name:("ssm-session-worker.exe" or "ssm-session-worker" or "ssm-document-worker.exe" or "ssm-document-worker") or
(process.name : "powershell.exe" and process.args : *awsrunPowerShellScript*) or
(process.name : ("dash" or "sh" or "bash") and process.args : *awsrunShellScript*) or
(process.parent.name : "powershell.exe" and process.parent.args : *awsrunPowerShellScript*) or
(process.parent.name : ("dash" or "sh" or "bash") and process.parent.args : *awsrunShellScript*)
) and
process.command_line:* and
not (process.name : "powershell.exe" and process.args :("$str.Substring($str.length" or *Convert-GuidToCompressedGuid* or get-wmiobject* or $wmi_proc* or *win32_quickfixengineering*)) and
not process.executable : ("/usr/bin/lscpu" or "/usr/bin/snap" or "/usr/bin/rpm" or "/usr/bin/dpkg-query" or /snap/snapd/*/usr/bin/snap or "/usr/bin/id" or "C:\\Program Files\\Amazon\\SSM\\Plugins\\SessionManagerShell\\winpty-agent.exe")